Each CA is required (under the BRs) to provide public information on how to submit certificate problem reports, including mis-issued certificates. The only way to properly notify the CA is through that mechanism as those are monitored 24 hours. CAs participating on the list usually have a couple of reps who monitor and participate, but not 24x7. I do agree there should be penalties for missing the 24 hour requirement to give the BRs a bit more teeth, but those penalties should be based on the proper notice process being followed.
I would also love to see a more standardized notice mechanism that is universal to all CAs. Right now, notifying CAs is a pain as some have different webforms, some use email, and some don't readily tell you how to contact them about certificate problems. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Alex Gaynor via dev-security-policy Sent: Tuesday, July 25, 2017 10:58 AM To: Alex Gaynor <alex.gay...@gmail.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Miss-issuance: URI in dNSName SAN Following up on this (and really several other threads). The BRs require mis-issued certs to be revoked with 24 hours of the CA becoming aware. CAs are required to track m.d.s.p. per the Mozilla Root Policy, so really notifying this list _ought_ to qualify as notifying the CAs. In any event, here are some certificates, by CA, that have been mis-issued and linked on this list many days ago at this point: PSCProcert - https://crt.sh/?id=124094761 - dNSName is a URI PSCProcert - https://crt.sh/?id=175466182 - dNSName is for a .local domain Camerfirma AAPP II - 2014 - https://crt.sh/?id=42531587 - dNSName is a URI AC CAMERFIRMA AAPP - https://crt.sh/?id=5129200 - dNSName is a URI StartCom Class 2 Primary Intermediate Server CA - https://crt.sh/?id=10714112 - incorrect wildcard "*g10.net-lab.net" StartCom Class 3 OV Server CA - https://crt.sh/?id=17295812 - incorrect wildcard "*dev02.calendar42.com" StartCom Class 1 DV Server CA - https://crt.sh/?id=78248795 - invalid dNSName "-1ccenter.777chao.com" TI Trust Technologies Global CA - https://crt.sh/?id=48682944 - invalid wildcard "*nuvolaitaliana.it" UniCredit Subordinate External - https://crt.sh/?id=44997156 - invalid wildcard "*.*.rnd.unicredit.it" Swisscom Smaragd CA 2 - https://crt.sh/?id=5982951 - invalid wildcard "*.*. int.swisscom.ch" Swisscom Smaragd CA 2 - https://crt.sh/?id=175444569 - dNSName is for a .local domain Verizon Public SureServer CA G14-SHA2 - https://crt.sh/?id=33626750 - dNSName is for a .test domain Verizon Public SureServer CA G14-SHA2 - https://crt.sh/?id=12344381 - dNSName is for a .local domain CLASS 2 KEYNECTIS CA - https://crt.sh/?id=42475510 - dNSName is for a .corp domain EC-SectorPublic - https://crt.sh/?id=98706307 - dNSName is for a .local domain Should there be some penalty for the failure of CAs to revoke within the time period required by the BRs? Alex On Sat, Jul 22, 2017 at 10:11 AM, alex.gaynor--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > It has now been several days, does Camerafirma intend to revoke these > certificates, as required by the BRs (within 24 hours of being notified)? > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy